Wazuh installation guide on RHEL

AI-generated Image

Wazuh is a powerful, free, and open-source security platform that offers unified XDR (Extended Detection and Response) and SIEM (Security Information and Event Management) capabilities.

Wazuh collects, analyzes, and stores logs from endpoints, network devices, and applications. The Wazuh agent on each endpoint forwards logs to the Wazuh server. Additionally, you can forward logs via syslog or third-party API integrations.

System Requirements:

Refer to the following article:

Requirements · Wazuh documentation

Wazuh consists of three main components: the Indexer, Server, and Dashboard. While each component can be installed on separate servers, this guide will cover deploying all components on a single server.

The Server Specifications used for this guide are:

OS: Red Hat Enterprise Linux 8.4
CPU: 8vCPU
RAM: 16 GiB
Storage: 100 GB

The Main server containing all the wazuh components will be referred to as the wazuh manager.

Installation guide:

To install Wazuh v4.7, follow these steps:

• Run the following command on your server. This will download and execute the installation script:

curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a

Once the installation is complete, you will receive an output containing your admin login credentials. Make sure to save them as you will need them to log in to the Wazuh dashboard. You can change them later from the web interface:

Note: You can also find the password in the wazuh-passwords.txt file inside wazuh-install-files.tar.

To view the file content, run the following command:

sudo tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

• Open your browser and navigate to the IP address of your Wazuh server.
• Log in to the Wazuh dashboard using the admin credentials obtained in the previous step.

If you encounter any issues accessing the Wazuh dashboard, you can temporarily stop the OS firewall:

systemctl stop firewalld.service

Your browser may display a certificate error since you have not set up a certificate for the server.

You can refer to the following Wazuh documentation for guidance:

Certificates deployment - User manual · Wazuh documentation

Configuring SSL certificates directly on the Wazuh dashboard

• Verify that the wazuh manager is listening on the required ports (1514 / 1515):

netstat -ltpnd

Installing agents on Linux machines:

To install Wazuh agents on Linux endpoints, refer to the following article:

Deploying Wazuh agents on Linux endpoints — Wazuh agent

After the installation, you can confirm its success by running the following commands on the wazuh manager to list the available agents:

cd /var/ossec/bin/

./manage_agents -l

If the needed server is not listed, run a telnet test from the endpoint that is running the agent to the wazuh manager to make sure the connection is allowed:

telnet <wazuh manager IP> 1514

Installing agents on Windows machines:

To install Wazuh agents on Windows endpoints, refer to the following article:

Installing Wazuh agents on Windows endpoints — Wazuh agent

Enabling additional Modules on the Dashboard:

To enable additional modules, follow these steps:

1. Click on the drop-down menu next to the Wazuh logo in the dashboard.
2. Select Settings → Modules.

Note: These settings can also be configured via the ossec.conf file located at /var/ossec/etc/ossec.conf, along with other customization options.

One recommended setting to enable is the Vulnerability Detector for the operating systems in your environment. Here is an example from the ossec.conf file:

<vulnerability-detector> 
 <enabled>yes</enabled> 
 <interval>5m</interval> 
 <min_full_scan_interval>6h</min_full_scan_interval> 
 <run_on_start>yes</run_on_start>

systemctl restart wazuh-manager.service
systemctl restart wazuh-indexer
systemctl restart wazuh-dashboard.service

You can change what level of alerts get logged and shown in the dashboard:

 <alerts>
 <log_alert_level>3</log_alert_level>
 </alerts>

Delete an Agent:

Execute the following command on the wazuh manager and follow the prompt:

/var/ossec/bin/manage_agents

Updating wazuh:

Stop the services before upgrading.

yum upgrade wazuh-indexer
yum upgrade wazuh-manager
yum upgrade wazuh-dashboard

systemctl daemon-reload

Uninstalling:

To uninstall wazuh and its components, run the uninstall script:

sudo bash wazuh-install.sh --uninstall

Using SYSLOG to collect logs:

You can use syslog to collect logs from devices where a wazuh agent cannot be installed, ie. Firewalls, switches etc…

You will need to make sure that the wazuh manager is listening on the following ports:

Perform the following steps to forward logs using rsyslog to the Wazuh server:

• Edit the /etc/rsyslog.conf file and add the following configuration:

*.info@@<WAZUH_SERVER_IP_ADDRESS>:514

This line tells rsyslog to forward logs with a severity level of info (or any higher severity level) to the Wazuh server at the specified IP address and port 514. The @@ symbol is used to indicate that this is a TCP-based forwarding action.

Note: Replace <WAZUH_SERVER_IP_ADDRESS> with the actual IP address of your Wazuh server.

• Restart rsyslog:

systemctl restart rsyslog

• Edit the wazuh configuration file:

nano /var/ossec/etc/ossec.conf

Example of syslog configuration:

<remote>
  <connection>syslog</connection>
  <port>514</port>
  <protocol>tcp</protocol>
  <allowed-ips><LINUX_ENDPOINT_IP_ADDRESS></allowed-ips>
</remote>

systemctl restart wazuh-manager

References:

• Wazuh central components — Upgrade guide · Wazuh documentation
• remote — Local configuration (ossec.conf) · Wazuh documentation
• Log data analysis — Use cases · Wazuh documentation
• Use cases — Log data collection · Wazuh documentation